Some risk event notifications show as sent with a two minute delay, even with priority event notification enabled

In Symantec Endpoint Protection Manager (SEPM) 12.1.4, you have enabled priority event notifications, which are sent outside the scope of the client heartbeat. You have configured multiple risk-related notifications, including Single Risk Event. However, when you review the logs, you notice that some notifications are sent about two minutes after notifications for the same detection.

This is an example of what the SEPM displays when you view the detailed event information under Monitors > Logs > Risk > View Log.

The default mechanism for selecting risk events subtracts two minutes from the present time. This mechanism prevents notifications from excluding risk events. Since you can configure SEP 12.1.4 to bypass the normal client-server communication to immediately send priority events, the preventative default can cause a delay in notification trigger.

Reconfigure the default value of the notification task mechanism.

Open conf.properties with Notepad. This file is located in the following folder:

SEPM Installation\tomcat\etc

Where SEPM Installation is the SEPM installation path.

By default, this path is C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager on a 64-bit system, and C:\Program Files\Symantec\Symantec Endpoint Protection Manager on a 32-bit system.

Add the line

scm.server.task.securityalertnotifytask.delta = x

Where x is one of the following values:

To speed up notification from the default, set the value of
x
to
1
.

To disable this feature, set the value of
x
to
0
.

Note: If you set the value to
0
, you remove the notification trigger delay, but as a consequence, some notifications may exclude some events.